diff --git a/policy-f20-base.patch b/policy-f20-base.patch index d9ee08e..5a37828 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -26223,7 +26223,7 @@ index 6bf0ecc..0d55916 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..a2c6981 100644 +index 2696452..e71983d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -26860,7 +26860,7 @@ index 2696452..a2c6981 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +688,145 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26873,6 +26873,7 @@ index 2696452..a2c6981 100644 +#userdom_home_manager(xdm_t) +tunable_policy(`xdm_write_home',` + userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) ++ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) +',` + userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file }) +') @@ -27011,7 +27012,7 @@ index 2696452..a2c6981 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -27038,7 +27039,7 @@ index 2696452..a2c6981 100644 ') optional_policy(` -@@ -514,12 +866,57 @@ optional_policy(` +@@ -514,12 +867,57 @@ optional_policy(` ') optional_policy(` @@ -27096,7 +27097,7 @@ index 2696452..a2c6981 100644 hostname_exec(xdm_t) ') -@@ -537,28 +934,78 @@ optional_policy(` +@@ -537,28 +935,78 @@ optional_policy(` ') optional_policy(` @@ -27184,7 +27185,7 @@ index 2696452..a2c6981 100644 ') optional_policy(` -@@ -570,6 +1017,14 @@ optional_policy(` +@@ -570,6 +1018,14 @@ optional_policy(` ') optional_policy(` @@ -27199,7 +27200,7 @@ index 2696452..a2c6981 100644 xfs_stream_connect(xdm_t) ') -@@ -584,7 +1039,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -584,7 +1040,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -27208,7 +27209,7 @@ index 2696452..a2c6981 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27221,7 +27222,7 @@ index 2696452..a2c6981 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27237,7 +27238,7 @@ index 2696452..a2c6981 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -27248,7 +27249,7 @@ index 2696452..a2c6981 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27270,7 +27271,7 @@ index 2696452..a2c6981 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -27284,7 +27285,7 @@ index 2696452..a2c6981 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27316,7 +27317,7 @@ index 2696452..a2c6981 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27334,7 +27335,7 @@ index 2696452..a2c6981 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1198,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1199,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -27358,7 +27359,7 @@ index 2696452..a2c6981 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -27367,7 +27368,7 @@ index 2696452..a2c6981 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1261,44 @@ optional_policy(` +@@ -775,16 +1262,44 @@ optional_policy(` ') optional_policy(` @@ -27413,7 +27414,7 @@ index 2696452..a2c6981 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1307,10 @@ optional_policy(` +@@ -793,6 +1308,10 @@ optional_policy(` ') optional_policy(` @@ -27424,7 +27425,7 @@ index 2696452..a2c6981 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -27438,7 +27439,7 @@ index 2696452..a2c6981 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -27447,7 +27448,7 @@ index 2696452..a2c6981 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1350,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1351,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27482,7 +27483,7 @@ index 2696452..a2c6981 100644 ') optional_policy(` -@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -27491,7 +27492,7 @@ index 2696452..a2c6981 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -27523,7 +27524,7 @@ index 2696452..a2c6981 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 348ca46..2d08b5b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -99937,7 +99937,7 @@ index 9dec06c..fddb027 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..f48af33 100644 +index 1f22fba..2dba7ec 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,194 @@ @@ -100858,7 +100858,7 @@ index 1f22fba..f48af33 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +619,276 @@ optional_policy(` +@@ -737,44 +619,277 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -100902,6 +100902,7 @@ index 1f22fba..f48af33 100644 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +kernel_read_net_sysctls(virt_domain) ++kernel_read_network_state(virt_domain) -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) @@ -101158,7 +101159,7 @@ index 1f22fba..f48af33 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +899,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +900,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -101185,7 +101186,7 @@ index 1f22fba..f48af33 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +919,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +920,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -101219,7 +101220,7 @@ index 1f22fba..f48af33 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +956,20 @@ optional_policy(` +@@ -847,14 +957,20 @@ optional_policy(` ') optional_policy(` @@ -101241,7 +101242,7 @@ index 1f22fba..f48af33 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +994,65 @@ optional_policy(` +@@ -879,49 +995,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -101325,7 +101326,7 @@ index 1f22fba..f48af33 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1064,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1065,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -101345,7 +101346,7 @@ index 1f22fba..f48af33 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1085,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1086,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -101369,7 +101370,7 @@ index 1f22fba..f48af33 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1110,272 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1111,272 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -101780,7 +101781,7 @@ index 1f22fba..f48af33 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1388,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1389,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -101795,7 +101796,7 @@ index 1f22fba..f48af33 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1406,8 @@ optional_policy(` +@@ -1183,9 +1407,8 @@ optional_policy(` ######################################## # @@ -101806,7 +101807,7 @@ index 1f22fba..f48af33 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1420,206 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1421,206 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 208f93c..24ce689 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -579,6 +579,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Mar 7 2014 Miroslav Grepl 3.12.1-132 +- Modify xdm_write_home to allow create files/links in /root with xdm_home_ +- Allow virt domains to read network state + * Thu Mar 6 2014 Miroslav Grepl 3.12.1-131 - Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6